b'                                       SOCIAL SECURITY\nMEMORANDUM\n\nDate:      April 23, 2008                                                 Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Assessing the Application Controls for the Social Security Administration\xe2\x80\x99s Modernized\n           Claims System and National Disability Determination Services System (A-15-07-17155)\n\n\n           OBJECTIVE\n           We contracted with PricewaterhouseCoopers, LLP (PwC) to complete full-scope audits\n           of the Social Security Administration\xe2\x80\x99s (SSA) National Disability Determination Services\n           System and Modernized Claims System in conjunction with the Government\n           Performance and Results Act. Attached is the final report presenting the results of\n           PwC\xe2\x80\x99s review. For the applications included in this audit, PwC\xe2\x80\x99s objectives were to:\n\n           \xe2\x80\xa2   Assess the effectiveness of internal controls, both automated and manual, and test\n               key controls over access controls, data input, data processing, data rejection, and\n               data output as they relate to the performance indicators.\n\n           \xe2\x80\xa2   Assess the overall reliability of the applications\xe2\x80\x99 computer-processed data as they\n               relate to the performance indicators. Data are reliable when they are complete,\n               accurate, consistent and are not subject to inappropriate alteration.\n\n           Please provide within 60 days a corrective action plan that addresses each\n           recommendation. If you wish to discuss the final report, please call me or have your\n           staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n           (410) 965-9700.\n\n\n\n\n                                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Attachment\n\x0c             OFFICE OF\n      THE INSPECTOR GENERAL\n\n\n SOCIAL SECURITY ADMINISTRATION\n\nASSESSING THE APPLICATION CONTROLS FOR\n THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n    MODERNIZED CLAIMS SYSTEM AND\n  NATIONAL DISABILITY DETERMINATION\n            SERVICES SYSTEM\n\n       April 2008   A-15-07-17155\n\n\n\n   AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0cMEMORANDUM\n\nDate:      March 31, 2008\n\nTo:        Inspector General\n\nFrom:      PricewaterhouseCoopers, LLP\n\nSubject:   Assessing the Application Controls for the Social Security Administration\xe2\x80\x99s\n           Modernized Claims System and National Disability Determination Services\n           System (A-15-07-17155)\n\n\nOBJECTIVE\nThe Government Performance and Results Act of 1993 (GPRA)1 requires that the\nSocial Security Administration (SSA) develop performance indicators that assess the\nrelevant service levels and outcomes of each program activity. 2 GPRA also calls for a\ndescription of the means employed to verify and validate the measured values used to\nreport on program performance. 3 The majority of data used in the calculation and\nmeasurement of performance indicators are generated from applications that support\nthe Agency\'s mission and objectives. Therefore, application control reviews are\nessential in determining the completeness, accuracy, and validity of data.\n\nOur audit was conducted in accordance with generally accepted government auditing\nstandards for performance audits. For the applications included in this audit, our\nobjectives were to:\n\xe2\x80\xa2 Assess the effectiveness of internal controls, both automated and manual, and test\n  key controls over access controls, data input, data processing, data rejection, and\n  data output as they relate to the performance indicators.\n\xe2\x80\xa2 Assess the overall reliability of the applications\xe2\x80\x99 computer-processed data as they\n  relate to performance indicators. Data are reliable when they are complete, accurate,\n  consistent and are not subject to inappropriate alteration. 4\n\n\n\n\n1\n Public Law Number 103-62, 107 Stat. 285 (codified as amended in scattered sections of 5 United States\nCode (U.S.C.), 31 U.S.C. and 39 U.S.C.).\n2\n    31 U.S.C. \xc2\xa7 1115(a)(4).\n3\n    31 U.S.C. \xc2\xa7 1115(a)(6).\n4\n Government Accountability Office (GAO)-03-273G, Assessing Reliability of Computer Processed Data,\nOctober 2002, p. 3.\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)                           1\n\x0cBACKGROUND\nWe audited the following applications as they related to specific performance indicators\naudited during FY 2007.\n\n    Application                       Related Performance Indicators\n\n    Modernized Claims System          \xe2\x80\xa2   Disability Determination Services (DDS) net\n    (MCS)                                 accuracy rate (allowances and denials\n                                          combined)\n                                      \xe2\x80\xa2   Maintain the number of initial disability\n                                          claims pending in the Disability\n                                          Determination Services (DDS) (at/below the\n                                          FY 2007 goal)\n    National Disability               \xe2\x80\xa2   Number of SSI [Supplemental Security\n    Determination Services                Income] disabled beneficiaries earning at\n    System (NDDSS)                        least $100 per month\n                                      \xe2\x80\xa2   Number of Supplemental Security Income\n                                          (SSI) non-disability redeterminations\n                                          processed\n\nSSA administers the Old-Age and Survivors Insurance (OASI), Disability Insurance (DI),\nand SSI programs. The OASI program, authorized by Title II of the Social Security Act,\nprovides income for eligible workers and eligible members of their families and\nsurvivors. 5 The DI program, also authorized by Title II of the Social Security Act,\nprovides income for eligible workers with qualifying disabilities and eligible members of\ntheir families, before those workers reach retirement age. 6 The SSI program,\nauthorized by Title XVI of the Social Security Act, was designed as a needs-based\nprogram to provide or supplement the income of aged, blind, and/or disabled individuals\nwith limited income and resources. 7\n\nSSA systems play a key role in the creation, collection, and reporting of performance\nindicator data for the Title II and Title XVI programs. MCS and NDDSS are two of these\nsystems. MCS is the front-end data processing system for OASDI used to determine a\nclaimant\'s eligibility, compute a monthly benefit amount, and establish a master record\nfor beneficiaries who file under Title II. It provides the initial transactional Title II data\nused in the indicators, "Disability Determination Services (DDS) net accuracy rate\n(allowances and denials combined)" 8 and "Maintain the number of initial disability claims\n\n5\n    The Social Security Act \xc2\xa7\xc2\xa7 201-234, 42 U.S.C. \xc2\xa7\xc2\xa7 401-434.\n6\n    Id.\n7\n    The Social Security Act \xc2\xa7\xc2\xa7 1601-1637, 42 U.S.C. \xc2\xa7\xc2\xa7 1381-1383f.\n8\n    SSA FY 2007 Performance and Accountability Report (PAR), p. 59.\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)                  2\n\x0cpending in the Disability Determination Services (DDS) (at/below the FY 2007 goal)." 9\nNDDSS is the data processing system that tracks receipt, development, and clearance\ndecisions of disability claims, both DI and SSI, and passes these data to the DI and SSI\nsystems. It provides the initial transactional data for the indicators, "Number of SSI\ndisabled beneficiaries earning at least $100 per month" 10 and "Number of Supplemental\nSecurity Income (SSI) non-disability redeterminations processed." 11\n\nRESULTS OF REVIEW\nOur assessment identified issues with internal controls and data reliability for both\napplications reviewed in this report. Specifically, we noted weaknesses in the operating\neffectiveness of access controls related to application transactions. For NDDSS, we\nalso noted programmers had update access to production datasets. As a result of\nthese internal control weaknesses, we did not find the performance indicator data to be\nreliable.\n\nModernized Claims System\n\nApplication Background\n\nTo determine eligibility, a claimant must file a claim with SSA. The individual submits a\nclaim at 1 of approximately 1,300 field offices (FO) or via the Internet. FO staff interview\nthe claimant and provide assistance with the completion of necessary applications.\nInitial interviews are conducted in person or through telephone calls to obtain necessary\ninformation, such as income, resources, and work history. In addition, basic medical\ninformation concerning the disability, medical treatments, and identification of treating\nsources is also obtained. This information may also be supplied via the Internet. The\nFO staff inputs the application data into MCS.\n\nMCS has built-in edits and controls to reduce the risk of incorrect data entry. These\ninclude, but are not limited to, the following.\n\n\xe2\x80\xa2      Surface edits send an error message on-screen if a field is not the required length, a\n       mandatory field is not completed, data are repeated in a field, or nonmatching types\n       of data are entered.\n\xe2\x80\xa2      Relationship edit checks validate data entered by the FO staff on one screen with\n       data entered on that screen (intrascreen edit) and all other input screens\n       (interscreen edit).\n\xe2\x80\xa2      A file to screen edit checks to ensure that data entered and transmitted agree with\n       information contained in other SSA databases.\n9\n    Id. p. 55.\n10\n     SSA FY 2006 PAR, p. 83.\n11\n     SSA FY 2007 PAR, p. 70.\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)                   3\n\x0c\xe2\x80\xa2     Adjudicative edits occur when data on the screen do not agree with the adjudicative\n      rules for documentation and entitlement factors programmed into MCS.\n\nIf the applicant is filing a claim that involves disability, the applicant signs a medical\nauthorization release form. The FO staff mails these forms and medical evidence to the\nDDS for medical determination. MCS electronically sends the applicants\' data to\nNDDSS. The DDS will review the medical evidence, make a disability determination,\nand record the disability determination in the system, NDDSS, which will electronically\nsend the results to MCS.\n\nFinally, MCS computes the monthly benefit payable based on the initial claim or the\npost-entitlement event. 12 It will also create a Master Beneficiary Record (MBR), which\nsummarizes each beneficiary\'s Title II claims.\n\nFindings\n\nInternal Controls and Data Reliability\n\nOur review of access controls noted that two users had excessive access to Customer\nInformation Control System (CICS) screen SC17 (Earnings) within the MCS and did not\nrequire this access to perform their jobs. 13 CICS is a transaction processing system\ndesigned for both on-line and batch activity. SSA management did not appropriately\nrestrict access to these transactions. The SSA Information System Security Handbook\n(ISSH) states, "Access to all SSA functions associated with software or enterprise\nsystems must be managed based on need-to-know and least privilege. This specifically\nincludes changes/updates to software, production jobs, and supporting hardware\ndeployments. This access control maintenance policy must be applied across the SSA\nenterprise." 14 In addition, Office of Management and Budget (OMB) Circular A-130\nrequires that agencies implement the practice of least privilege, whereby user access is\nrestricted to the minimum necessary to perform his or her job, and enforce a separation\nof duties so steps in a critical function are divided among different individuals. It also\nemphasizes the importance of management controls \xe2\x80\x93 such as individual accountability\nrequirements, separation of duties enforced by access controls, and limitations on the\nprocessing privileges of individuals \xe2\x80\x93 to prevent and detect inappropriate or\nunauthorized activities. 15\n\n\n12\n  If this is an initial claim, the initial claims operation application will compute the Primary Insurance\nAmount and benefit amount; however, if the claim is a post-entitlement event, then the automated\nearnings recomputation operation application recalculates Primary Insurance Amounts of beneficiaries to\ngive credit for additional Federal Insurance Contributions Act earnings.\n13\n  SSA management corrected both of the user\'s profiles to appropriately align with their job\nresponsibilities; therefore, this finding was remediated.\n14\n     SSA ISSH, Section 16.3, p. 49.\n15\n     OMB Circular No. A-130, Appendix III - Security of Federal Automated Information Resources, p. 5.\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)                               4\n\x0cThis issue was noted during the FY 2007 financial statement audit. Also, during the\naudit timeframe, SSA management removed the excessive application business user\naccess to the MCS application. However, because this internal control weakness\nexisted during the period of review, we did not find the performance indicator data to be\nreliable.\n\nNational Disability Determination Services System\n\nApplication Background\n\nIf a disability claimant satisfies all of the non-medical criteria, the case is referred to a\nState DDS to determine whether the claimant satisfies the medical criteria. Information\nregarding the disability claim is then entered into NDDSS. The following list\nsummarizes some of the more important functions that NDDSS provides for the DDS\noffices and SSA.\n\n\xe2\x80\xa2    Track the receipt, development, and clearance decisions of disability claims by the\n     DDS offices. SSA uses this tracking information to assess the timeliness of the\n     decisionmaking process by each DDS. SSA also uses the decisional data as the\n     basis for several quality control and assessment activities.\n\xe2\x80\xa2    Pass disability decisional updates for Title II and XVI claims to the respective\n     payment systems. Once received from NDDSS, the respective system will then\n     schedule the corresponding benefit payment for disbursement to the claimant.\n\xe2\x80\xa2    Provide automated Federal sample and targeted profile selections of disability\n     claims. The decisional data stored within NDDSS forms the basis for several quality\n     assurance studies, such as pre-effectuation reviews, Quality Assurance reviews,\n     and continuing disability reviews. Each one of these reviews is deemed by SSA to\n     serve as a key monitoring activity to ensure the appropriate benefit payment to the\n     corresponding claimants.\n\xe2\x80\xa2    Provide management information to the Disability Operational Datastore, which SSA\n     then uses to measure operational effectiveness across a number of attributes, such\n     as DDS disability decision accuracy.\n\nFindings\n\nInternal Controls and Data Reliability\n\nOur review of access controls revealed the following exceptions.\n\n\xe2\x80\xa2 Two users had excessive access to the NDDSS CICS transactions and did not\n  require this access to perform their job responsibilities. 16\n\n\n\n16\n   SSA management appropriately updated all user access based on job responsibilities; therefore, this\nfinding was remediated.\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)                               5\n\x0c\xe2\x80\xa2 Programmers had update access to NDDSS production datasets and did not require\n  this access to perform their job responsibilities 17\n\nThe SSA ISSH states, "Access to all SSA functions associated with software or\nenterprise systems must be managed based on need-to-know and least privilege. This\nspecifically includes changes/updates to software, production jobs, and supporting\nhardware deployments. This access control maintenance policy must be applied across\nthe SSA enterprise." 18 In addition, OMB Circular A-130 requires that agencies\nimplement the practice of least privilege, whereby user access is restricted to the\nminimum necessary to perform his or her job, and enforce a separation of duties so\nsteps in a critical function are divided among different individuals. It also emphasizes\nthe importance of management controls \xe2\x80\x93 such as individual accountability\nrequirements, separation of duties enforced by access controls, and limitations on the\nprocessing privileges of individuals \xe2\x80\x93 to prevent and detect inappropriate or\nunauthorized activities. 19\n\nThese issues were noted during the FY 2007 financial statement audit. Also, during the\naudit timeframe, SSA management removed the excessive application business user\nand programmer access to the NDDSS application. However, because this internal\ncontrol weakness existed during the period of review, we did not find the performance\nindicator data to be reliable.\n\nCONCLUSION AND RECOMMENDATION\nWe recommend SSA:\n\n1. Consistently restrict access to CICS screens and datasets for MCS and NDDSS\n   based on the concept of least privilege access.\n\nAGENCY COMMENTS\nThe Agency agreed with our recommendation. The Agency\xe2\x80\x99s comments are included in\nAppendix D.\n\n\n\n\n17\n   SSA management appropriately updated all user access based on job responsibilities; therefore, this\nfinding was remediated.\n18\n     SSA ISSH, Section 16.3, p. 49.\n19\n     OMB Circular No. A-130, Appendix III - Security of Federal Automated Information Resources, p. 5.\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)                               6\n\x0c                                          Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Process Flowcharts\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\n\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)\n\x0c                                                                        Appendix A\nAcronyms\n CICS                 Customer Information Control System\n DDS                  Disability Determination Services\n DI                   Disability Insurance\n FO(s)                Field Office(s)\n FY                   Fiscal Year\n GAO                  Government Accountability Office\n GPRA                 Government Performance and Results Act of 1993\n IDMS                 Integrated Disability Management System\n ISSH                 SSA Information System Security Handbook\n MBR                  Master Beneficiary Record\n MCS                  Modernized Claims System\n MSSICS               Modernized Supplemental Security Income Claims System\n NDDSS                National Disability Determination Services System\n OASI                 Old-Age and Survivors Insurance\n OIG                  Office of the Inspector General\n OMB                  Office of Management and Budget\n PAR                  Performance and Accountability Report\n PwC                  PricewaterhouseCoopers\n SSA                  Social Security Administration\n SSI                  Supplemental Security Income\n U.S.C.               United States Code\n\n\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)\n\x0c                                                                                        Appendix B\nScope and Methodology\nWe updated our understanding of the Social Security Administration\xe2\x80\x99s (SSA)\nGovernment Performance and Results Act processes and relevant applications. This\nwas completed through research and questions to SSA management.\n\nThrough inquiry, observation, and other substantive testing, including testing of source\ndocumentation, we performed the following.\n\n\xe2\x80\xa2   Reviewed applicable laws, regulations and SSA policy.\n\xe2\x80\xa2   Assessed the effectiveness of internal controls, both automated and manual, and\n    tested key controls over access controls, data input, data processing, data rejection,\n    and data output as they related to the performance indicators.\n\xe2\x80\xa2   Assessed the overall reliability of the applications\xe2\x80\x99 computer-processed data as they\n    relate to the performance indicators. Data are reliable when they are complete,\n    accurate, consistent and are not subject to inappropriate alteration. 1\nWe followed all performance audit standards in accordance with generally accepted\ngovernment auditing standards. In addition to these steps, we specifically performed\nthe following to test the applications in this report.\n\n    \xe2\x80\xa2 Inquired of personnel regarding application(s) that Modernized Claims System\n      (MCS) and National Disability Determination Services System (NDDSS) interfaced\n      with to report performance indicator results.\n    \xe2\x80\xa2 Completed an application controls review of MCS.\n              o Inspected a selection of users to determine whether their access to\n                 MCS transactions and datasets was appropriate.\n              o Performed Computer Assisted Audit Tests over MCS data to determine\n                 whether programmed edits and validations were operating as intended.\n              o Inspected a selection of sysouts to determine whether the data\n                 processed completely.\n              o Inspected a selection of disability records to determine whether the\n                 disability decision was accurately transferred from NDDSS to MCS.\n    \xe2\x80\xa2 Completed an application controls review of NDDSS.\n              o Inspected a selection of users to determine whether their access to\n                 NDDSS transactions and datasets was appropriate.\n              o Inspected a selection of sysouts to determine whether the data\n                 processed completely.\n              o Inspected the interface records from NDDSS to the application\n                 Disability Operational Data Store.\n\n\n1\nGovernment Accountability Office 03-273G, Assessing Reliability of Computer Processed Data, October 2002, p. 3.\n\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)                                  B-1\n\x0c      \xe2\x80\xa2 Inquired, inspected, and observed the key controls over the general control\n        environment, specifically Entity-wide Security, Access Controls, Change Control,\n        System Software, and Service Continuity for MCS and NDDSS.\n\nWe assessed the computer-processed data reliability as it relates to the performance\nindicators in accordance with GAO guidance. 2 We determined that the performance\nindicator data, which are processed through the MCS and NDDSS applications, in this\nreport are not sufficiently reliable given the audit objective and intended use of the\nperformance indicator data. We base this determination on the internal control testing\nover the access controls, as previously discussed in this report. Because the use of\nthese performance data could lead to an incorrect or unintentional message, we\ncompleted testing to determine whether a selection of users had appropriate access to\ntransactions and datasets specific to MCS and NDDSS to provide support for our\nfindings. Please see the MCS and NDDSS Findings sections on pages 4 and 5 of this\nreport for further discussion and recommendations regarding the reliability of the\nperformance indicator data.\n\n\n\n\n2\n    Id.\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)             B-2\n\x0c                                                                                                                                                           Appendix C\n\nTitle II and Title XVI Process Including Modernized Claims\nSystem and National Disability Determination Services\nSystem - Flowchart\n\n\n                                                                                      NDDSS Process Flow\n\n                                                                                                                     Legend:\n                            Field Office\n                              (FO)                                                                                   *RUC = Receipt, Update, Closure of Claim\n                           Modernized Supplemental\n Integrated Disability\n                            Security Income Claims        Modern Claims\n Management System\n                              System (MSSICS)             System (MCS)\n  (IDMS): CDRTTW\n         IFOA                          DDTR                    TDTR\n\n\n\n                                                                                                                                                            Backend\n                                   Traffic File\n                                                                                                                                                             MCS\n\n\n                                                                                                                                                            MSSICS\n                                TRINDP\n                                                                                                                                                     48\n                                 Batch                                                                                                             46        IDMS:    CDR \xe2\x80\x93 Continuing\n                                Process                                                                                                                       CDR     Disability Review\n                                                                                                              Traffic File                                    TTW\n                                                                                                                                   TR Split         D                 TTW \xe2\x80\x93 Ticket to Work\n                         VSAM              VSAM                                                      48                                           Im DS\n                                                                      ND86                         46                                               ag                Disability\n                                                                                                                                                       e\n                  831                                                                                S                                                      DIODS     Operational Data\n                                                                             National             DD ge                                                               Store\n                Down-                             INDP                      Disability             Ima\n                 load                                                     Determination\n                     ND19                                                   Services\n                    Triggers                                                 System\n                                                                                                                                          Files                               States\n                   download -                                               (NDDSS)\n                                                                                                                                       Transmitted\n                     02,16\n                                                                                                                                        Mngmt.\n                                                                                                                                        Reports\n             Versa,                                          RUC\n                                                                                                                                                                        Office of Disability\n             Levy,\n                                                                                                               DADSREPS                  Closed                                (OD)\n            States&                                                          NDDSS                               Batch                   Claims\n            Nebrask                                                          Master\n               a                                                                                                                                                        Office of Quality\n                                                              Prelim-                                                                     831\n                                                                                                                                         Sample                        Performance (OQP)\n                                                              01,06\n                                                                                                                                                                        Federal Disability\n                                                                          Once                                                                                        Determination Service\n                                                                          Prelim                                DAFOCUS                                                     (FDDS)\n                                                                                                                  Batch                 Closed/\n                                                          MIDAS         Receipted -\n                                                                                                                                        Pending\n                                                         States &         02,16\n                                                                                                                                        Claims\n                                                           New                                                                                                        Regional Office (RO)\n                                                           York       MIDAS \xe2\x80\x93 Modernized Interim Disability\n                                                                      Adjudication System\n\n\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)                                                                                                                     C-1\n\x0cTitle II and Title XVI Process Including Modernized Claims\nSystem and National Disability Determination Services\nSystem - Narrative\n\xe2\x80\xa2   Claims are submitted at SSA field offices or via the Intranet.\n\xe2\x80\xa2   Field office staff will conduct an interview with the claimant and provide assistance in\n    completion of necessary applications. The field office staff will input application data\n    into Modernized Claims System (MCS) for Disability Insurance (DI), Title II, and the\n    Modernized Supplemental Security Income (SSI) Claims System (MSSICS) for SSI,\n    Title XVI.\n\xe2\x80\xa2   The transfer transactions trigger the writing of the claim records to the Traffic file.\n\xe2\x80\xa2   MCS, MSSICS, and the Integrated Disability Management System (IDMS) (claims\n    regarding continuing disability) records are input into a batch job named TRINDP.\n\xe2\x80\xa2   TRINDP is run nightly processing files from MCS, MSSICS and IDMS.\n\xe2\x80\xa2   This creates two Virtual Storage Access Method files: the 831 Download and INDP.\n    The 831 Download file is used by States running Versa and Levy and Nebraska to\n    receipt claims. The INDP file is used by States running Modernized Interim\n    Disability Adjudication System states and New York.\n\xe2\x80\xa2   This file is used to create the prelim, which is an abbreviated version of the claim\n    record on the NDDSS Master.\n\xe2\x80\xa2   The disability determinations services (DDS) receipts the claim into the NDDSS; the\n    prelim is converted to an active claim record.\n\xe2\x80\xa2   Legacy system receipt functions correlate directly to the NDDSS Receipt screen.\n\xe2\x80\xa2   Claim receipt, update, and closure transaction information is written real time to the\n    Traffic File in two formats: the 4648 (Data Transmission file) or the DDS Image file.\n\xe2\x80\xa2   A function called TRSPLIT extracts NDDSS records from the Traffic file, according to\n    record types. During TRSPLIT the following occurs:\n       o 4648 records update the backend systems of MCS, MSSICS, and IDMS with\n         the claim receipt, update, and closure information.\n\xe2\x80\xa2   DDS Image records are transmitted to the Disability Operational Data Store.\n\xe2\x80\xa2   Extractions from the NDDSS Master are provided for two batch processes called\n    DADSREPS and DAFOCUS.\n\xe2\x80\xa2   DADSREPS is a daily batch process that produces the Management Information\n    Reports for states that elect to receive the reports, the Closed Claim Records for\n    Office of Disability, and the 831 Sample File. Two sample files are created from the\n    831, including the Office of Quality Performance (The records provided are those\n    meeting the random and targeted sample criteria) and the Disability Hearing Office\n    (Random sample information provided to the Federal Disability Determination\n    Service).\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)                    C-2\n\x0c\xe2\x80\xa2   DAFOCUS is a weekly batch process that extracts closed and pending claims from\n    the NDDSS master. The extract provides a mirror image of all claims in the form of\n    two files, Closed and Pending.\n\xe2\x80\xa2   Files transmitted from these batch jobs are available for States, the Office of\n    Disability Systems, the Office of Quality Performance, Federal Disability\n    Determination Service, and Regional Offices.\n\n\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)            C-3\n\x0c                                                                        Appendix D\n\nAgency Comments\n\n\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\n\nDate:      March 31, 2008                                                        Refer To:   S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      David V. Foster /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cAssessing the Application Controls for the\n           Social Security Administration\xe2\x80\x99s Modernized Claims System and National Disability\n           Determination Services System\xe2\x80\x9d (A-15-07-17155)\xe2\x80\x94INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comment on the recommendation is\n           attached.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n\n           Attachment\n\n\n\n\n           Assessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)                   D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cASSESSING THE APPLICATION CONTROLS FOR THE SOCIAL\nSECURITY ADMINISTRATION\xe2\x80\x99S MODERNIZED CLAIMS SYSTEM AND\nNATIONAL DISABILITY DETERMINATION SERVICES SYSTEM\xe2\x80\x9d (A-15-07-17155)\n\nThank you for the opportunity to review and provide comments on this draft report.\n\nRecommendation\n\nConsistently restrict access to the Customer Information Control System (CICS) screens and\ndatasets for the Modernized Claims System (MCS) and the National Disability Determination\nServices System (NDDSS) based on the concept of least privilege access.\n\nComment\n\nWe agree. We will consistently restrict access to CICS screens and datasets for MCS and\nNDDSS based on the concept of least privileged access. We believe the value of the data in\nthese systems should be complete, accurate, and not subject to inappropriate alterations.\n\nWe will continue to educate staff on the merits of restricting the access of Disability\nDetermination Services (DDS) employees to our systems. We will make sure employees\nunderstand that the best means of restricting systems access is to assign DDS employees security\nprofiles that adhere to our System Access Policy principles of least privilege and need to know\nbasis. We will issue instructions regarding the security profiles available for assignment to DDS\npersonnel. We will also seek input on ways to better communicate information on DDS security\nprofiles and proper assignment. This effort will help us to achieve consistency in restricting\naccess to our systems. We plan to complete these actions by March 31, 2008.\n\n\n\n\nAssessing the Application Controls for SSA\xe2\x80\x99s MCS and NDDSS (A-15-07-17155)                    D-2\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                         Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                     Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                     Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                                Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'